It is currently Fri Oct 18, 2019 3:04 pm

All times are UTC - 7 hours



Forum rules





Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: ZSNES Total Control
PostPosted: Fri Feb 05, 2016 2:11 pm 
Offline

Joined: Sun Sep 19, 2004 11:12 pm
Posts: 21635
Location: NE Indiana, USA (NTSC)
In this post, adam_smasher wrote:
ZSNES also has a known security flaw that allows for arbitrary code execution on the host machine.

So does the Super Game Boy, but that was intentional.

More to the point: So do Super Mario Bros. 3 (bug 4961), Super Mario World (bug 4156), and Pokémon Yellow Version (bug 3894). I wonder whether ZSNES's bug could be combined with the bug in SMW to take control of a PC from a movie file. And is there a guide to making your own exploit package, so I can (say) write a .sfc program with a "Check for updates" feature that detects whether a new version of the game is available and offers to download it?

_________________
Pin Eight | Twitter | GitHub | Patreon


Top
 Profile  
 
 Post subject: Re: ZSNES Total Control
PostPosted: Fri Feb 05, 2016 2:38 pm 
Offline

Joined: Sat Apr 25, 2015 1:47 pm
Posts: 439
Location: FL
The zsnes exploit specifically involves a lack of sanity checks in the SA-1 emulation (for DMA transfers, if I remember right?)

The binaries and source for the PoC in that video are here, and I think one/both of the source packages has an explanation of how it works.

The exploit was fixed in the current development branch of zsnes, which is (or was, at the time) pretty much unusable for general gameplay purposes. I have no idea why they didn't release a patched version of 1.51 that people would actually have a reason to use, especially given how the zsnes release timeline looks.


Top
 Profile  
 
 Post subject: Re: ZSNES Total Control
PostPosted: Fri Feb 05, 2016 3:47 pm 
Offline

Joined: Mon Mar 27, 2006 5:23 pm
Posts: 1526
> I wonder whether ZSNES's bug could be combined with the bug in SMW to take control of a PC from a movie file.

You definitely could if you used an SA-1 enabling hack on Super Mario World first.

I'm certain there are non-SA1 code execution bugs in ZSNES as well, if one were to try and find them. They found out about the SA-1 one because a ROM hack was causing weird emulator crashes.

> I have no idea why they didn't release a patched version of 1.51 that people would actually have a reason to use, especially given how the zsnes release timeline looks.

They haven't put out a new release since January of 2007. We're a year shy of a decade without a release.

I keep thinking, "will this be the year people stop believing a new version will be released?", and am continually disappointed.


Top
 Profile  
 
 Post subject: Re: ZSNES Total Control
PostPosted: Fri Feb 05, 2016 5:01 pm 
Offline

Joined: Thu Aug 12, 2010 3:43 am
Posts: 1589
Not SNES, but I suppose Regen has a similar issue? Because it consistently crashes whenever a program tries to access unmapped memory (instead of emulating it properly). I should know, it happens pretty much every time my code crashes, i.e. precisely when I would want to use Regen the most (for its disassembler). Argh!


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 7 hours


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group